Secure endpoint
I'm creating a website using xano, I found out that users can inspect the website and find the endpoint in my JavaScript files. Is there a way I can make the endpoint only run if it's being ran on a specific domain?
Comments
-
This is a common situation that a lot of people don't notice - so great that you're asking! Yes this can be a risk if you have sensitive endpoints that lack authentication or regulation. If you mostly use authenticated endpoints you're much better off: they basically refuse traffic if they haven't already logged in.
Higher-work approaches include:
- add a request header that is specific to your web host
- generate a CSRF token to regulate requests
- Checking for repeat requests from a given domain to block attacks
Xano can work with either of the above - and others - with a few lines of directives in the function stack.
We discuss issues of security frequently as part of our focus on the hardest 5% during our daily State Change Pro office hours. -
Here's a video we released on our YouTube channel recently going over some of the methods you can use to secure your Xano APIs.
Categories
- All Categories
- 53 ? Announcements
- 47 ? Releases
- 37 ? Welcome
- 983 ? Help! I'm a Noob
- 125 ? No-Code Front-Ends
- 633 ? Working with APIs
- 439 ? Transforming data
- 126 ? Connect Xano to ...
- 50 ?? Find an Expert
- 348 ❓Other questions
- 35 ? Security
- 22 ✂️ Snippets
- 19 ? Showcase
- 7 ?️ Xano Chatter
- 62 ? Video Tutorials
- 171 ? Request a feature
- 229 ? Report a Bug
- 19 ? Templates & Extensions
- 7 ? Feedback